Driving Changes from Quality Assurance Reviews: How to Transform Your Department

Driving Changes from Quality Assurance Reviews: How to Transform Your Department from a Pinto to a Porsche Texas Association of College and University Auditors March 6, 2014

Objectives  Identify Standards and Practice Advisories related to a Quality Assurance and Improvement Program.  Recognize the benefits associated with a QAIP that help create value and buy-in from management for your organization.  Enhance the internal audit department’s operations.  Learn the best practices of the most mature audit groups.  Position your audit group to an outstanding quality assurance review.

A little about Toni…

A little about Polly…

Questions for the Audience • Who has actually performed a QAR? • Who has participated in a QAR of your own? • How many of scared of QARs?

What is Quality? “The standard of something as measured against other things of a similar kind; the degree of excellence of something”

YMMV!

1300: The CAE is REQUIRED to develop and maintain a Quality Assurance and Improvement Program (QAIP)

“designed to enable an evaluation of the internal audit activity’s conformance with the Definition of Internal Auditing and the Standards and an evaluation of whether internal auditors apply the Code of Ethics. The program also assesses the efficiency and effectiveness of the internal audit activity and identifies opportunities for improvement.”

But…it’s not just the CAE is it?

Other Guidance Practice Advisory 1310 • To provide accountability and transparency, the CAE communicates the results of external and, as appropriate, internal quality program assessments to the various stakeholders of the activity (such as senior management, the board, and external auditors). • At least annually, the CAE reports to senior management and the board on the quality program efforts and results.

1311: Internal Assessments Ongoing Monitoring

1311: Internal Assessments Periodic Self-assessments

1312: External Assessments • Once every 5 years by qualified, independent assessor or team from outside the organization. – Full external assessment • Peer review • External Assessor

– Self-assessment with independent external validation

• Practice Advisories 1312-2, -3, -4

Texas Internal Auditing Act

What Happens During an External QAR? • Planning • Surveys Planning • Interviews

Fieldwork

• Review of Working Papers • Review of Documents

• Draft Report • Exit Conference Reporting • Report Issued

What Kinds of Things Will They Focus On Besides the Standards? Strategies

Technology

Processes

Structure

People

Benefits of a QAIP? • • • • • •

Enhancements to operations Benchmarking Humbling Credibility Resources You get to say, “conforms with the International Standards for the Professional Practice of Internal Auditing,” in your internal audit charter or reports • You get a refresher course on the Standards! • You’re an auditor – that’s what we do!

Common External QA Findings • Update IA charter on annual basis • Reporting/independence issues • Staff knowledge, skills, competencies lacking to perform job responsibilities. • IT audits, including staff experience • No performance metrics • Set up formal QAIP • Risk assessment • Audit universe not identified • Policies and procedures • Timeliness of report issuance

• • • • • •

Audit Committee Charters No governance audits Lack of alignment with strategy Consulting not in charter Limited budget vs. expectations Unclear expectations from the Audit Committee • Internal Audit not regarded as an agent of change

Management of the Audit Department

6%

5%

Technology

5% 2%

23%

Communicating Results & Follow-Up

8%

Annual Audit Plan & Risk Assessment

9%

17%

Audit Committee Engagement Audit Plan & Risk Assessment

12%

13%

Code of Ethics Charter Policies and Procedures QAIP

Are We There Yet?

How do we get there? Quality is never an accident. It is always the result of intelligent effort.

John Ruskin 1819-1900 poet, writer, social thinker

Foundation for Quality • Reporting relationships – INDEPENDENCE

• Commitment to quality – Do you have a statement?

• Charters • Audit committee & senior management – Have you engaged them?

• Monitoring for effectiveness - QAIP

Key Components of Quality • Policy on quality assurance • Internal Audit policies/manual • Engagement supervision • Working paper reviews • Engagement performance measures • Independence and Code of Ethics compliance • Report writing procedures • Client surveys/evaluations

• Self-assessments • Training • Peer Reviews  External Assessment • Risk assessment drives plans – annual and engagement level • Engagement of audit committee and senior management • Performance metrics

Performance Metrics: UT Dallas Quality

Effectiveness

Efficiency

Sustainability

Management % of recommendations implemented on time

Client perception surveys – response rate and “good” responses

% audit plan completed

Direct audit labor cost as % of total budget

% of professional staff certified as CPA, CIA, CISA, or CFE

Audit committee surveys

Institutional riskbased audits as a % of audit plan

Direct audit time as % of total time

Total type of certifications (includes others – CISSP, CRMA, CFAP, CMA, CISM, CGAP, etc.)

Development as a % of total time Administrative time as a % of total time

Performance Metrics IIA’s Global Internal Audit Survey – Measuring Internal Audit’s Value (2010): • % of the audit plan completed • acceptance and implementation of recommendations • surveys/feedback from – the board/audit committee/senior management – audited departments

• assurance of sound risk management • reliance by external auditors on the internal audit activity

Overall Maturity Level

Optimized

Managed

Defined

Repeatable

Initial

Policy

Methodology and Process

Systems & Information

Communication & Reporting

People

Continuous monitoring and updating for necessary changes and emerging leading practices

Continuous monitoring and updating for necessary changes and emerging leading practices

SMEs identified and used; training and development monitored; robust succession planning in place

Extensive use of data mining and analytics; continuous audit and monitoring processes in place driving value

Communications and reporting highly effective; high level of quality demonstrated in timely reports

Policies are communicated to personnel and training occurs as necessary

Methodology and processes are communicated to personnel and training occurs as necessary

All resources have appropriate skills and credentials; targeted training and development in place

Data integrity is high; automated reports are reliable; key data is monitored continuously

Communication and reporting highly effective; quality and timeliness metrics defined and monitored

Policies are defined, in place, and documented

Uniform methodology and processes are defined, in place, and documented

Appropriate skills and credentials in place; training requirements documented and executed

Stable systems in place; information generated is reliable and relied upon

Communication and reporting processes are defined, in place, and documented; effective us of reporting templates

Policies are defined and in place but may not be documented

Uniform methodology and processes are defined and in place but may not be documented

Some specialized technical skills and credentials; training and development defined but may not be documented

Fairly effective systems are in place; low reliance on data and information generated from systems

Communication and reporting processes are defined and in place but may not be documented

Policies are not defined or in place

Methodology and processes are not defined or in place

Resource skills and credentials do not match process requirements; training programs not defined

High reliance on manual systems and spreadsheets; critical information not readily available

Communication and reporting done on an ad hoc basis; no validation of results or focus on quality

IIA Internal Audit Process Maturity - QAIP

Success Stories

• New ideas for improved internal operations—follow up processes, review processes, and opportunities to balance workload. • An opportunity for the audit team to feel like they are contributing to the success of the audit function. • An opportunity to validate that your audit shop is doing the right things. • An opportunity for stakeholders to share information which they may not have shared otherwise so that the audit team can enhance stakeholder relationships.

• Effectiveness and efficiency of the coordination between audit and compliance groups. • Define the role of audit in advising management . • Develop a formal succession plan • Validation of the initiatives we lead or participate in as valuable contributions to the organization’s goals.

• Job title from Director to CAE • Hot topics from benchmarking, best practices • Good heads-up for governing boards to remind them of their oversight responsibility of the IA function • Evaluation for CAE

• Independence from the VPBA’s role in approving all audit report responses • Additional funding for training • Establishment of an IT Audit Function • Participation in the President’s Cabinet

• Audit measuring our compliance program against the Federal Sentencing Guidelines to open a discussion with the board of regents about compliance issues • Individual briefings for regents in advance of audit committee meetings, thus strengthening relationships between audit and the board • Focusing our follow-up reporting to the board on the most significant issues vs. all issues • Increasing our efficiency by eliminating second review on low risk audits

Other Success Stories to Share?

Are you ready to be a Porsche?

Contact Information & Resources

The IIA

Find us at www.utdallas.edu/audit-compliance

Polly Atchsion, CPA, CIA UT Dallas Audit Manager [email protected] 972-883-2240

Toni Stephens, CPA, CIA, CRMA Executive Director of Audit & Compliance, UT Dallas [email protected] 972-883-4876